Tag Archive for: Thought Leadership

Trump Administration Should Read and Heed Obama Cyber Report

SIGNAL | January 31, 2017

By Ray Rothrock

As the nation deals with intelligence reports of Russian hacks of the U.S. presidential election, some of us in industry are pondering how President Donald Trump will tackle cybersecurity issues.

He already has a good road map. In December, the Commission on Enhancing National Cybersecurity issued its “Report on Securing and Growing the Digital Economy.” Kudos are in order. It is high time the executive branch dug deeply into cybersecurity issues.

 

Shadow Brokers Turn Out the Lights

The Shadow Brokers are turning out the lights. On their way out they dumped another suite of alleged National Security Agency hacking tools.  Unlike last time, where the released exploits focused on network gear from vendors such as Cisco and Fortinet, these tools and exploits target Microsoft Windows operating systems.  Most of the sixty plus exploits are already detected by antivirus vendors, such as Kaspersky, and it is a safe bet that all antivirus vendors will detect them shortly.

In Shadow Brokers’ farewell post, they say they are leaving the account open for someone to deposit 10,000 bitcoins — the equivalent of $8.2 million — to obtain the entire cache of alleged NSA hacking tools. To date, no one has paid the requested amount.  With such a high price it has been speculated that the Shadow Brokers never seriously expected anyone to pay. This leads some to believe they are associated with a nation state who is trying to cause headaches for US spy agencies and the administration.

What can be done to protect your systems from these tools and exploits?  Basic security practices of course.  Keep your systems up to date with patches and operating system releases.  Practice your usual good cyber hygiene such not clicking on links in emails.  Be conscientious about what you plug into your home or business computers as a lot of malware can spread through external hard drives and USB sticks.

Also, it is imperative to have good backups and test your backups.  Many times after a breach occurs, organizations find out too late that they’ve never tested their restore procedures to verify they have good backups. Or, they learn that their backups have been infected with malware from previous backups of compromised systems.

Have an incident response plan in place and practice your incident response plans regularly. Having a plan is great. But you need to practice to make sure your team can execute your plan. Plans without practicing is the equivalent of a firefighter knowing it takes water to put a fire out, but not knowing how to get the water off of the fire truck and onto the fire.

Know your network; and consider using RedSeal.   Even if you don’t use us, knowing your network will lead to greatly enhanced resilience and enable your incident responders to keep business and mission critical systems online and functioning during an incident.  Security is not sexy, despite what Hollywood depicts. There is no silver bullet that will magically make your network impervious.  It takes hard work and continuous effort to build and maintain resilient networks.  So, do you know yours — completely?

RedSeal CEO: Executives Need “Visualization” to Help Determine Cybersecurity Effectiveness

GOVERNMENT SECURITY NEWS | December 22, 2016

The past two weeks have been affirming ones for Ray Rothrock and his team at RedSeal.

Just hours after his company shared their findings regarding corporate executives and their cyber naivete – including an alarming statistic showing more than 80 percent of CEOs are confident in their companies’ strategies even as cyber incidents continue to rise – officials from Yahoo announced they discovered a breach that originated three years ago and compromised the data of more than a billion users.

Smart Devices are Simple When it Comes to Cybersecurity

CBR ONLINE | 14 November 2016

RedSeal CTO, Dr Mike Lloyd, on the thing about things – with some pizza on the side

The Mirai strain of malware has focused a lot of attention on the Internet of Things, after a Mirai-infected botnet of IoT devices was used to cripple large parts of the Internet on Oct 21st.  Huge numbers of simple Internet-connected devices (cameras, home routers, baby monitors, etc) were used to flood the infrastructure of a service provider called Dyn, causing collateral damage to a wide array of other dependent websites.

RedSeal: Digital Gatekeeper

RED HERRING | November 1, 2016

As our use of technology has evolved, so have the threats that can derail and even destroy a business or even a country. Remember December 2013 when credit card information from 40 million users were stolen a few days before Christmas in a major attack on Target? Or the power outage (allegedly triggered by Russia) which lasted six to nine hours in the Ukraine during Christmas season last year? Cyber attacks are more of a threat to companies and governments today than they were yesterday, and will become even more so tomorrow.

Ray Rothrock: A Venture Capitalist with a Cause

RED HERRING | November 1, 2016

Most venture capitalists embrace the career after a stint as a banker, CEO, or tech executive. Then the average tenure as a VC spans over 15 years, during which they groom two new startups per year, and enjoy the lifestyle attached to that profession. Eventually they retire, often rich, and “vanish to the sunset” as John Fisher, the founder of Draper Fisher elegantly puts it. Few would have anticipated that Ray Rothrock, would have gone the other way, and reversed from a successful quarter century role at Venrock, the famous Rockefeller venture firm, to spearhead a then fledgling start up as his last assignment in his professional journey.

Discovering a Cure for Cyber Threats

BECKER’S HOSPITAL REVIEW | October 17, 2016

Improving security for electronic health records will enhance trust and unlock their full potential.

A friend of mine recently had a frustrating experience trying to send his medical records to a major hospital. He wanted to email them, however the hospital said no, they only accept faxed records. They said there are simply too many security risks involved with electronic records.

Micro-Segmentation: Good or bad?

COMPUTING | 27 September 2016

Mike Lloyd, CTO at RedSeal, argues that more granular control is a good thing, but it’s easier said than done.

There’s a lot going on in virtual data centres. In security, we’re hearing many variations of the term “micro-segmentation”. (It originated from VMware, but has been adopted by other players, some of them adding spin.)

To Maintain Democracy, Digital Networks Must Be Improved

ThirdCertainty | September 13, 2016

Automation, segmentation and continuous oversight of voting systems will strengthen trust in government

By Ray Rothrock, RedSeal CEO

As the presidential election enters its home stretch, the Democratic National Convention cyber hack and issues with local voting machines have made cybersecurity part of the election story. After the election, I fully expect an accusation from the loser about electronic voter fraud, which will cast doubt on the most important element in any election: Trust.

Hol(e)y Routers, Batman!

Most people think about network infrastructure about as much as they think about plumbing – which is to say, not at all, until something really unfortunate happens. That’s what puts the “infra” in the infrastructure – we want it out of sight, out of mind, and ideally mostly below ground. We pay more attention to our computing machinery, because we use them directly to do business, to be sociable, or for entertainment. All of these uses depend critically on the network, but that doesn’t mean most of us want to think about the network, itself.

That’s why SEC Consult’s research into exploitable routers probably won’t get the attention it deserves. That’s a pity – it’s a rich and worthwhile piece of work. It’s also the shape of things to come, as we move into the Internet of Things. (I had a great conversation a little while ago with some fire suppression engineers who are increasingly aware of cyber issues – we were amused by the concept of The Internet of Things That Are on Fire.)

In a nutshell, the good folks at SEC Consult searched the Internet for objects with a particular kind of broken cryptography – specifically, with known private keys. This is equivalent to having nice, shiny locks visible on all your doors, but all of them lacking deadbolts. It sure looks like you’re secure, but there’s nothing stopping someone simply opening the doors up. (At a minimum, the flaw they looked for makes it really easy to snoop on encrypted traffic, but depending on context, can also allow masquerading and logging in to control the device.)

And what did they find when they twisted doorknobs? Well, if you’ve read this far, you won’t be surprised that they uncovered several million objects with easily decrypted cryptography.  Interestingly, they were primarily those infrastructure devices we prefer to forget about.  Coincidence? Probably not. The more we ignore devices, the messier they tend to get. That’s one of the scarier points about the Internet of Things – once we have millions or billions of online objects, who will take care of patching them? (Can they be updated? Is the manufacturer responsible? What if the manufacturer has gone out of business?)

But what really puts the icing onto the SEC Consult cake is that they tried hard to report, advertise, and publicize everything they found in late 2015. They pushed vendors; they worked with CERT teams; they made noise. All of this, of course, was an attempt to get things to improve. And what did they find when they went back to scan again? A 40% increase in devices with broken crypto! (To put the cherry onto that icing, the most common device type they reported before has indeed tended to disappear. Like cockroaches, if you kill just one, you’re likely to find more when you look again.)

So what are we to conclude? We may wish our infrastructure could be started up and forgotten, but it can’t be. It’s weak, it’s got mistakes in it, and we are continuously finding new vulnerabilities. One key take-away about these router vulnerabilities: we should never expose management interfaces. That sounds too trivial to even mention – who would knowingly do such a thing?  But people unknowingly do it, and only find out when the fan gets hit. When researchers look (and it gets ever easier to automate an Internet-wide search), they find millions of items that violate even basic, well-understood practices. How can you tell if your infrastructure has these mistakes? I’m not saying a typical enterprise network is all built out of low-end routers with broken crypto on them. But the lessons from this research very much apply to networks of all sizes. If you don’t harden and control access to your infrastructure, your infrastructure can fail (or be made to fail), and that’s not just smelly – it’s a direct loss of digital resilience. And that’s something we can’t abide.